© 2015 Foley Hoag LLP. All Rights Reserved.

Navigating Cyber Security Incident Response:

The Legal and Regulatory Landscape

November 13, 2015

Colin J. Zick, Esq.Chair, Privacy and Data Security Practice Group

Foley Hoag LLP(617) 832-1275

czick@foleyhoag.com

The Legal and Regulatory Landscape | 2© 2015 Foley Hoag LLP. All Rights Reserved.

Overview

The current legal and regulatory data privacy and security landscape

Recent examples of

data breach and responseUnderstanding how that

landscape impacts

data breach response

The Legal and Regulatory Landscape | 3© 2015 Foley Hoag LLP. All Rights Reserved.

2015: A Busy (and Dangerous) Year

Breaches and cyber attacks continued to occur at a high frequency.

A high percentage of the known breaches/attacks could have been prevented.

While some attacks are very high tech, low tech attacks are very popular and often successful.

Perpetrators know this and exploit human weaknesses.

Cyber-espionage is an established tool, but its actual impact is difficult to determine, since if the attackers do it right, no one knows they’ve done it!

The Legal and Regulatory Landscape | 4© 2015 Foley Hoag LLP. All Rights Reserved.

Some of 2015’s Notable Breaches

The Office of Personnel Management disclosed two breaches, affecting 21.5 million federal workers and the exposing the personnel data of 4.2 million individuals, and resulting in the resignation of the OPM director.

CareFirst BlueCross BlueShield reporting in May that it has been hit by an attack that compromised about 1.1 million members.

In June, Kaspersky Lab (a security vendor) announced that it had discovered a malware platform that had infiltrated several of its internal systems.

In March, Premera Blue Cross announced it suffered a security breach, with as many as 11 million subscribers affected.

Earlier this year, it was announced that cybercriminals from Eastern Europe have infiltrated at least 100 banks in 30 countries, resulting in $1 billion in fraudulent transfers over a two-year period.

In February, an Anthem database with approximately 80 million patient and employee records was reported breached.

The Legal and Regulatory Landscape | 5© 2015 Foley Hoag LLP. All Rights Reserved.

Regulators, Company Boards, Accountants and Lawyers Are Focusing on Cyber-Security

Boards of Directors are recognizing their responsibility and asking more difficult questions to CEOs and CIOs.

Some companies are considering a “cyber-seat” on the Board, or specialized board advisors.

M&A requires a cyber-security assessment of companies for potential investments.

FTC, SEC, DHS, HHS and other regulators are recognizing the centrality of cyber and information security to the integrity of our financial infrastructure, and that executives may be held personally responsible.

Companies are receiving significant penalties from the FTC for cyber-security incidents (fines + 20 year audit requirement).

The Legal and Regulatory Landscape | 6© 2015 Foley Hoag LLP. All Rights Reserved.

Laws Impacting Data Privacy and Security

Federal and 50 State Laws Governing:– What information can be collected– How it must be stored and secured– Under what circumstances it can be shared– Under what circumstances it can be disclosed– Requirements for responding to data breaches and data losses – Penalties for data breaches and data losses

And then there are the international laws . . .

The Legal and Regulatory Landscape | 7© 2015 Foley Hoag LLP. All Rights Reserved.

Selected List of U.S. Laws Impacting Data Privacy and Security

Administrative Procedure Act. (5 U.S.C. §§ 551, 554-558) Cable Communications Policy Act (47 U.S.C. § 551) Cable TV Privacy Act of 1984 (47 U.S.C. § 551) Census Confidentiality Statute (13 U.S.C. § 9) Children’s Online Privacy Protection Act of 1998 (15 U.S.C. § 6501, et seq., 16 C.F.R. § 312) Communications Assistance for Law Enforcement Act of 1994 (47 U.S.C. § 1001) Computer Fraud and Abuse Act, as amended by the USA PATRIOT Act (18 U.S.C. § 1030) Computer Security Act (40 U.S.C. § 1441) Consumer Financial Protection Act of 2010 (Pub. L. No. 111-203, 124 Stat. 1376) Criminal Justice Information Systems (42 U.S.C. § 3789g) Counterfeit Access Device and Computer Fraud Abuse Act of 1984 (18 U.S.C. § 1030) Customer Proprietary Network Information (47 U.S.C. § 222) Driver’s Privacy Protection Ac (18 U.S.C. § 2721) Drug and Alcoholism Abuse Confidentiality Statutes (21 U.S.C. § 1175; 42 U.S.C. § 290dd-3) Electronic Communications Privacy Act (18 U.S.C. § 2701, et seq.), aka Stored Communications Act Electronic Funds Transfer Act (15 U.S.C. § 1693, 1693m) Employee Polygraph Protection Act (29 U.S.C. § 2001, et seq.) Employee Retirement Income Security Act (29 U.S.C. § 1025) Equal Credit Opportunity Act (15 U.S.C. § 1691, et. seq.) Equal Employment Opportunity Act (42 U.S.C. § 2000e, et seq.) Fair Credit Billing Act (15 U.S.C. § 1666)

The Legal and Regulatory Landscape | 8© 2015 Foley Hoag LLP. All Rights Reserved.

Selected List of U.S. Laws Impacting Data Privacy and Security (cont.)

Fair and Accurate Credit Transactions Act of 2003 Fair Credit Reporting Act (15 U.S.C. § 1681, et seq.) Fair Debt Collection Practices Act (15 U.S.C. § 1692, et seq.) Fair Housing Statute (42 U.S.C. §§ 3604, 3605) Family Educational Rights and Privacy Act (20 U.S.C. § 1232g) Freedom of Information Act (5 U.S.C. § 552) (FOIA) Genetic Information Nondiscrimination Act (P.L. 110-233, 122 Stat. 881) Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801, et seq.) Health Insurance Portability and Accountability Act (Pub. Law No. 104-191 § §262,264: 45 C.F.R. § §160-164)) Health Research Data Statute (42 U.S.C. § 242m) HITECH Act (Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of

2009, Pub. L. No. 111-5) Mail Privacy Statute (39 U.S.C. § 3623) Paperwork Reduction Act of 1980 (44 U.S.C. §3501, et seq.) Privacy Act of 1974 (5 U.S.C. § 552a) Privacy Protection Act (42 U.S.C. § 2000aa) Right to Financial Privacy Act (12 U.S.C. § 3401, et seq.) Tax Reform Act (26 U.S.C. § §6103, 6108, 7609) Telecommunications Act of 1996 (47 U.S.C. § 222) Telephone Consumer Protection Act of 1991 (47 U.S.C. § 227) U.S.A. Patriot Act (Pub. L. 107-56) (bill extending three anti-terrorism authorities signed 02/25/11) Video Privacy Protection Act of 1998 (18 U.S.C. § 2710) Wiretap Statutes (18 U.S.C. §2510, et seq.; 47 U.S.C. § 605)

The Legal and Regulatory Landscape | 9© 2015 Foley Hoag LLP. All Rights Reserved.

Legal Framework – A subset

Customer Privacy Laws Federal and state identity theft laws and regulations

- Requiring customer notice- Requiring information security programs

FTC Act / Consumer information HIPAA / Medical information regulation Gramm Leach Bliley / Financial information regulation Regulations for specific industries (e.g., FCC CPNI Regulations) Laws governing specific information (e.g., Social Security number statutes) Negligence / Consumer protection lawsAuthorized Use Statutes Computer Fraud & Abuse Act (CFAA) Electronic Communications Privacy Act (ECPA) Stored Communications Act (SCA)Surveillance / Information Security Law Federal & State Wiretapping Statutes Invasion of PrivacyProperty Law Larceny / Conversion Trade Secrets Copyright / Digital Millennium Copyright Act (DMCA)

The Legal and Regulatory Landscape | 10© 2015 Foley Hoag LLP. All Rights Reserved.

BASIC TEMPLATE FOR FEDERAL AND STATE PRIVACY LAWS

Define the type of “non-public personal information” (“NPI”) that is being regulated

Provide that NPI must be protected from disclosure to unauthorized holders unless “anonymized” or “aggregated”

Requires the development, implementation, maintenance and monitoring of comprehensive, written information security programs:– Collect only needed information– Retain only as long as necessary– Provide access only to those with a legitimate business purpose– Implement specific administrative, physical and electronic security

measures to ensure protection Require prompt notice to individuals whose NPI is compromised Provides for the imposition of penalties for breaches by NPI custodians Requires the disposal of personal information in such a way that it cannot be

read or reconstructed after disposal

The Legal and Regulatory Landscape | 11© 2015 Foley Hoag LLP. All Rights Reserved.

Protected Information

This varies from state to state– CA:

•SSN, driver’s license, financial account numbers, medical information– FL:

•SSN, driver’s license, financial account numbers– MA:

•SSN, driver’s license, financial account numbers– NY:

•SSN, driver’s license, financial account numbers, passwords, mother’s maiden name

– TX:•SSN, driver’s license, financial account numbers, medical information, health insurance, passwords, mother’s maiden name, date of birth, electronic ID numbers

The Legal and Regulatory Landscape | 12© 2015 Foley Hoag LLP. All Rights Reserved.

State Law Notification Matrix

STATE TRIGGER EXCEPTION PARTY PRIVATEROA?

CA Acquisition Lack of Harm Individuals,CRA

Yes

FL Acquisition Lack of Harm, Consultation with law enforcement

Individuals,CRA

No

MA Acquisition, Misuse, Risk of Fraud

None Individual, Owner, AG, other agencies

No

NY Acquisition None Individual, Owner, AG, other agencies, CRA

No

TX Acquisition Alternative notification

Individual, Owner, CRA

No

The Legal and Regulatory Landscape | 13© 2015 Foley Hoag LLP. All Rights Reserved.

Key Requirements of the Massachusetts (and Most States’) Data Security Law

Develop a written information security policy. Designate an individual who will be responsible for your

information security program. Identify what personal information your business possesses,

where it is kept and who has access to it. Place reasonable restrictions on access to personal information:

physical restrictions for hard copy files; log-in and password protection for electronic files.

Take steps to ensure that third party service providers have the capacity to protect personal information.

Prevent terminated employees from accessing personal information.

Regular monitoring and updating of security measures.

The Legal and Regulatory Landscape | 14© 2015 Foley Hoag LLP. All Rights Reserved.

Inventory/Audit

What Information Do We Have? Where Is It? Who Has It? Why Do They Have It?

–Why Do We Have It? What Are The Risks?

–How Would Customers and Employees React to Accidental Disclosure?

What Safeguards Address Them?–Physical–Technical–Administrative

What Are Our Obligations?

The Legal and Regulatory Landscape | 15© 2015 Foley Hoag LLP. All Rights Reserved.

Keys to a Successful Cyber Breach Response

Have resources pre-identified and pre-contracted. You don’t have time to deal with contracting delays

Time is ticking down on state/federal notification deadlines

Train IT people on how to preserve key logs and other pieces of evidence. Have them forensically collected, perhaps by specialists

Counsel should check to see if state statutes require computer forensic professionals to hold valid Private Investigator licenses

You need to determine if an incident occurred, when it occurred, how it occurred, if insiders were involved, and whether the intrusion has been definitively stopped

The Legal and Regulatory Landscape | 16© 2015 Foley Hoag LLP. All Rights Reserved.

Keys to a Successful Cyber Breach Response (cont.)

Check with your insurer for resources (like forensic specialists) who are on their pre-approved panel

You may have to use monitoring of the network to independently determine if the incident has stopped

Cyber forensic investigations can take time, but good practitioners know that you have deadlines and will work to provide the best advice within the schedules of the response team

One issue that we see is failure to escalate quickly, causing ineffective response and wasted time

The Legal and Regulatory Landscape | 17© 2015 Foley Hoag LLP. All Rights Reserved.

What is in-house and outside counsel’s role in responding to a breach?

Notice:–To federal/state agencies–To those impacted by the breach as both a matter of

state law and risk management MitigationThe role of notice and credit monitoring In post-breach public statements, what key points

should be included to minimize litigation risk?To what extent can a company be liable for lost data?

Incident Response and Investigation

The Legal and Regulatory Landscape | 18© 2015 Foley Hoag LLP. All Rights Reserved.

Keys to Successful Response

You need to determine if an incident occurred, when it occurred, how it occurred, if insiders were involved, and whether the intrusion has been definitively stopped.

Have resources pre-identified and pre-contracted. You won’t have time to deal with contracting delays.

Check with your insurer for resources (like forensic specialists) who are on their pre-approved panel.

Cyber forensic investigations can take time, but good practitioners know that you have deadlines and will work to provide the best advice within the schedules of the response team.

Keep track of state/federal notification deadlines.

The Legal and Regulatory Landscape | 19© 2015 Foley Hoag LLP. All Rights Reserved.

Keys to Successful Response (cont.)

Train IT people on how to preserve key logs and other pieces of evidence. –Have them forensically collected, perhaps by

specialists.You may have to use monitoring of the network to

independently determine if the incident has stopped.Failure to escalate quickly results in an ineffective

response and wasted time.

The Legal and Regulatory Landscape | 20© 2015 Foley Hoag LLP. All Rights Reserved.

Thank you!

Colin Zick

Partner and Chair,

Privacy & Data Security Practice

Foley Hoag LLP

czick@foleyhoag.com

617.832.1275